Author: jfthomps Date: Tue Jun 16 14:55:02 2009 New Revision: 785242 URL: http://svn.apache.org/viewvc?rev=785242&view=rev Log: VCL-139
both files: removed requirement of user's email address being passed in shibauth/index.php: -added a check for passed in eppn already existing in database; if so, no other fields are required -removed all NCSU specific cases when setting the skin cookie Modified: incubator/vcl/trunk/web/.ht-inc/authmethods/shibauth.php incubator/vcl/trunk/web/shibauth/index.php Modified: incubator/vcl/trunk/web/.ht-inc/authmethods/shibauth.php URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/authmethods/shibauth.php?rev=785242&r1=785241&r2=785242&view=diff ============================================================================== --- incubator/vcl/trunk/web/.ht-inc/authmethods/shibauth.php (original) +++ incubator/vcl/trunk/web/.ht-inc/authmethods/shibauth.php Tue Jun 16 14:55:02 2009 @@ -47,7 +47,8 @@ $user["lastname"] = $_SERVER['sn']; else $user['lastname'] = $displast; - $user["email"] = $_SERVER['mail']; + if(array_key_exists('mail', $_SERVER)) + $user["email"] = $_SERVER['mail']; $user['unityid'] = $userid; $user['affilid'] = $affilid; @@ -65,9 +66,10 @@ $user['id'] = $row['id']; $query = "UPDATE user " . "SET firstname = '{$user['firstname']}', " - . "lastname = '{$user['lastname']}', " - . "email = '{$user['email']}', " - . "emailnotices = 0, " + . "lastname = '{$user['lastname']}', "; + if(array_key_exists('email', $user)) + $query .= "email = '{$user['email']}', "; + $query .= "emailnotices = 0, " . "lastupdated = NOW() " . "WHERE uid = {$user['id']}"; doQuery($query, 101, 'vcl', 1); @@ -97,17 +99,19 @@ . "(unityid, " . "affiliationid, " . "firstname, " - . "lastname, " - . "email, " - . "emailnotices, " + . "lastname, "; + if(array_key_exists('email', $user)) + $query .= "email, "; + $query .= "emailnotices, " . "lastupdated) " . "VALUES (" . "'{$user['unityid']}', " . "{$user['affilid']}, " . "'{$user['firstname']}', " - . "'{$user['lastname']}', " - . "'{$user['email']}', " - . "0, " + . "'{$user['lastname']}', "; + if(array_key_exists('email', $user)) + $query .= "'{$user['email']}', "; + $query .= "0, " . "NOW())"; doQuery($query, 101, 'vcl', 1); if(mysql_affected_rows($mysql_link_vcl)) { Modified: incubator/vcl/trunk/web/shibauth/index.php URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/web/shibauth/index.php?rev=785242&r1=785241&r2=785242&view=diff ============================================================================== --- incubator/vcl/trunk/web/shibauth/index.php (original) +++ incubator/vcl/trunk/web/shibauth/index.php Tue Jun 16 14:55:02 2009 @@ -2,57 +2,75 @@ chdir(".."); require_once('.ht-inc/conf.php'); +require_once('.ht-inc/utils.php'); +require_once('.ht-inc/errors.php'); +function getFooter() {} +$noHTMLwrappers = array(); + +dbConnect(); + header("Cache-Control: no-cache, must-revalidate"); header("Expires: Sat, 1 Jan 2000 00:00:00 GMT"); if(! array_key_exists('eppn', $_SERVER) || - ! array_key_exists('mail', $_SERVER) || (! (array_key_exists('sn', $_SERVER) && array_key_exists('givenName', $_SERVER)) && ! array_key_exists('displayName', $_SERVER))) { - # check to see if any shib stuff in $_SERVER, if not redirect - $keys = array_keys($_SERVER); - $allkeys = '{' . implode('{', $keys); - if(! preg_match('/^\{Shib-/', $allkeys)) { - # no shib data, clear _shibsession cookie - foreach(array_keys($_COOKIE) as $key) { - if(preg_match('/^_shibsession[_0-9a-fA-F]+$/', $key)) - setcookie($key, "", time() - 10, "/", $_SERVER['SERVER_NAME']); + # check for eppn; if there, see if it is a user we already have + if(array_key_exists('eppn', $_SERVER)) { + $tmp = explode('@', $_SERVER['eppn']); + $query = "SELECT u.firstname, " + . "u.lastname " + . "FROM user u, " + . "affiliation a " + . "WHERE u.unityid = '{$tmp[0]}' AND " + . "a.shibname = '{$tmp[1]}' AND " + . "u.affiliationid = a.id"; + $qh = doQuery($query, 101); + if($row = mysql_fetch_assoc($qh)) { + $_SERVER['sn'] = $row['lastname']; + $_SERVER['givenName'] = $row['firstname']; + } + else { + # check to see if any shib stuff in $_SERVER, if not redirect + $keys = array_keys($_SERVER); + $allkeys = '{' . implode('{', $keys); + if(! preg_match('/\{Shib-/', $allkeys)) { + # no shib data, clear _shibsession cookie + foreach(array_keys($_COOKIE) as $key) { + if(preg_match('/^_shibsession[_0-9a-fA-F]+$/', $key)) + setcookie($key, "", time() - 10, "/", $_SERVER['SERVER_NAME']); + } + # redirect to main select auth page + header("Location: " . BASEURL . SCRIPT . "?mode=selectauth"); + dbDisconnect(); + exit; + } + print "<h2>Error with Shibboleth authentication</h2>\n"; + print "You have attempted to log in using Shibboleth from an<br>\n"; + print "institution that does not allow VCL to see all of these<br>\n"; + print "attributes:<br>\n"; + print "<ul>\n"; + print "<li>eduPersonPrincipalName</li>\n"; + print "</ul>\n"; + print "and either:\n"; + print "<ul>\n"; + print "<li>sn and givenName</li>\n"; + print "</ul>\n"; + print "or:\n"; + print "<ul>\n"; + print "<li>displayName</li>\n"; + print "</ul>\n"; + print "You need to contact the administrator of your institution's<br>\n"; + print "IdP to have all of those attributes be available to VCL in<br>\n"; + print "order to log in using Shibboleth.\n"; + dbDisconnect(); + exit; } - # redirect to main select auth page - header("Location: " . BASEURL . SCRIPT . "?mode=selectauth"); - exit; } - print "<h2>Error with Shibboleth authentication</h2>\n"; - print "You have attempted to log in using Shibboleth from an<br>\n"; - print "institution that does not allow VCL to see all of these<br>\n"; - print "attributes:<br>\n"; - print "<ul>\n"; - print "<li>eduPersonPrincipalName</li>\n"; - print "<li>mail</li>\n"; - print "</ul>\n"; - print "and either:\n"; - print "<ul>\n"; - print "<li>sn and givenName</li>\n"; - print "</ul>\n"; - print "or:\n"; - print "<ul>\n"; - print "<li>displayName</li>\n"; - print "</ul>\n"; - print "You need to contact the administrator of your institution's<br>\n"; - print "IdP to have all of those attributes be available to VCL in<br>\n"; - print "order to log in using Shibboleth.\n"; - exit; } -require_once('.ht-inc/utils.php'); -require_once('.ht-inc/errors.php'); -function getFooter() {} -$noHTMLwrappers = array(); - -dbConnect(); - // open keys $fp = fopen(".ht-inc/keys.pem", "r"); $key = fread($fp, 8192); @@ -80,7 +98,8 @@ array_pop($tmp); $affilname = strtoupper(implode('', $tmp)); $affilname = preg_replace('/[^A-Z0-9]/', '', $affilname); - $query = "SELECT name " + $query = "SELECT name, " + . "shibname " . "FROM affiliation " . "WHERE name LIKE '$affilname%' " . "ORDER BY name DESC " @@ -92,14 +111,18 @@ $cnt++; $newaffilname = $affilname . $cnt; } + elseif($affilname != $row['name'] && $affil != $row['shibname']) { + $newaffilname = $affilname; + } else { $msg = "Someone tried to log in to VCL using Shibboleth from an idp " . "affiliation that could not be automatically added.\n\n" . "eppn: {$_SERVER['eppn']}\n" . "givenName: {$_SERVER['givenName']}\n" - . "sn: {$_SERVER['sn']}\n" - . "mail: {$_SERVER['mail']}\n\n" - . "tried to add VCL affiliation name \"$affilname\" with " + . "sn: {$_SERVER['sn']}\n"; + if(array_key_exists('mail', $_SERVER)) + $msg .= "mail: {$_SERVER['mail']}\n\n"; + $msg .="tried to add VCL affiliation name \"$affilname\" with " . "shibname \"$affil\""; $mailParams = "-f" . ENVELOPESENDER; mail(ERROREMAIL, "Error with VCL pages (problem adding shib affil)", $msg, '', $mailParams); @@ -189,13 +212,9 @@ setcookie("VCLAUTH", "{$cookie['data']}", 0, "/", COOKIEDOMAIN); # set skin cookie based on affiliation switch($affil) { - case 'WakeTech': - case 'JohnstonCC': + case 'Example1': + case 'EXAMPLE2': $skin = strtoupper($affil); - case 'NCCU': - case 'ECU': - case 'UNCG': - case 'WCU': setcookie("VCLSKIN", $skin, (time() + (SECINDAY * 31)), "/", COOKIEDOMAIN); break; default: